JP2007114855A - Information processor, method for controlling information processor, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To allow a database to be transparently treated for an application in a database system where a storage medium for storing the correspondence between real name data and false name data may be accessible and inaccessible. <P>SOLUTION: This information processor is connected to a database 111 in which a real name table and a false name table are stored, and configured to read a correspondence table from a storage medium 205 in which a correspondence table 206 of real name data and false name data is recorded, and to decide whether the correspondence table 206 can be accessed, and to receive a query to be executed for the database 111, and to decide whether or not it is necessary to associate the real name data with the false name data for executing the received query, and to convert the received query into a new query based on the correspondence table 206 when it is necessary to associate the real name with the false name, and the correspondence table 206 is accessible, and to transmit the new query to the database 111. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a technique for handling computerized personal information, and relates to a technique for managing data in a database by dividing the data into real name data and pseudonym data.

  In recent years, social demands for privacy protection are increasing, and privacy is indispensable in information systems of companies that handle personal information. Personal information is information relating to an individual, and includes information that can identify a specific individual by name, date of birth, and other descriptions, and other information that can be collated with these information. Although personal information to be protected and its state have not yet been fully established as a social convention, the so-called Personal Information Protection Law and related laws and regulations that have been fully enforced at least in April 2005 for personal information handling businesses It is essential to comply.

  According to the Personal Information Protection Act, personal information is collected, stored, used, and personal information handling business owners who are responsible for management are disclosed for the purpose of disclosure to information subjects that are specific individuals identified by personal information. It is stipulated that personal information is handled along the way. That is, according to the Personal Information Protection Law, not only is personal information regarded as confidential information, but also prepared for an unexpected leak, further measures for appropriately using personal information are required.

  As a technique for responding to the above request of the Personal Information Protection Act as an information processing system, for example, in the technology described in Non-Patent Document 1, by separating the relationship between personal information and real names, purchasing history and account transaction Such transactions are restricted from being used in association with information subjects. Specifically, the personal information table in the database is divided and managed into a real name table storing real name data and a pseudo name table storing pseudonym data, and related to the same information subject stored in each table Different IDs (identifiers) are assigned to the records. The real name data is electronic data that can identify a specific individual, and the pseudonym data is other electronic data that can be collated with real name data.

  In the technique described in Non-Patent Document 1, a correspondence table between real name data IDs (hereinafter referred to as real name IDs) and pseudonym data IDs (hereinafter referred to as pseudonym IDs) Isolate to device. That is, the combination processing of real name data and pseudonym data of the same information subject is controlled from outside the database by the ID correspondence table in the secure device. In addition, when the ID correspondence table is exposed (leaked) outside the secure device, the ID correspondence table and the pseudonym ID in the database are rewritten to prevent the ID correspondence table from being illegally used. it can.

  By the way, when constructing an application using an RDB (Relational Database), it is general to use SQL (Structured Query Language) defined in ISO / IEC 9075: 1992 or the like. Since SQL is a declarative programming language, it is only necessary to define a desired data set in an SQL statement when programming. Also, when building an application that uses RDB, a data set is formed such that a data search condition including a host name, a database, a table, an item, and other resource names is specified and a data set is obtained from the RDB. In many cases, the procedural processing is left to the RDB. For this reason, when the technique described in Non-Patent Document 1 is applied to an actual system, the structure of a table that is newly divided so that the application can transparently access the table that is divided and managed. Therefore, it is necessary to modify the processing procedure in accordance with the development cost due to testing and implementation.

On the other hand, Patent Document 1 includes a dictionary storing RDB definition information for making a plurality of RDBs appear as one virtual RDB, and an SQL program issued by the application to the virtual RDB. A technique for converting to an SQL program required for RDB is disclosed. In the technique described in Non-Patent Document 1, a real name table, a pseudonym table, and an ID correspondence table can be regarded as a distributed RDB table. The distributed RDB can be made to appear to an application as one virtual RDB by the technique described in Document 1.
Yoshinori Sato, Akihiko Kawasaki, Toyohisa Morita et al .: “Personal information management system based on linkability control”, 30th CSEC presentation at Information Processing Society of Japan (ITEC / SITE joint holding), Iwate University, 2005.7. twenty two Japanese Patent No. 2837525

  However, the technique described in Patent Literature 1 is based on the assumption that each RDB is always accessible from an application unless there is a failure in the communication path. As in the ID correspondence table, no consideration is given to the case where the system can distinguish between the case where the system can access the ID correspondence table and the case where the system cannot access the ID correspondence table. Therefore, with the technique described in Patent Document 1, it is not always possible to give appropriate data to an application while there is no ID correspondence table. Further, the ID correspondence table needs to be kept secret from the database and the application. However, the technique described in Patent Document 1 is transparent to distributed data in consideration of the existence of such confidential data. There is no mention of the technology handled in

  The present invention has been made in view of such problems. A storage medium in which personal data is separated into a real name table and a pseudonym table and managed in a database, and a correspondence table of real name data and pseudonym data is stored. An object of the present invention is to provide an information processing apparatus capable of transparently handling data with respect to an application, a control method for the information processing apparatus, and a program in a system in which access is possible and inaccessible. To do.

  A main invention of the present invention for solving the above-described problems is an information processing apparatus, which is an interface connected to a CPU and a memory, and a database storing a real name table including real name data and a pseudonym table including pseudonym data An interface for reading the correspondence table from a recording medium in which a correspondence table of the real name data and the pseudonym data is recorded, a state determination unit that determines whether or not the correspondence table can be accessed, and the database. A query receiving unit that receives the query, a query determination unit that determines whether the real name data and the pseudonym data need to be associated with each other when the received query is executed, and the association is necessary And when the correspondence table is accessible, the reception is performed based on the correspondence table. And query converter for converting the query to a new query with, and to have an interface for transmitting the query to the database.

  According to the present invention, when executing the query received from the application, it is determined whether or not the real name data and the pseudonym data need to be associated with each other. Is converted to a new query, and the converted new query is executed against the database. Therefore, it is possible to execute a query received from an application regardless of the presence or absence of the correspondence table, and to make the database appear transparent to the application. In addition, this eliminates the need for implementing real name data and pseudonym data combining processing on the application side using the database.

  According to the present invention, the personal data is separated into the real name table and the pseudonym table and managed in the database, and the storage medium storing the correspondence table of the real name data and the pseudonym data is accessible and inaccessible. In such a system, the database can be made transparent to an application using the database.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

== Example 1 ==
FIG. 1A shows the configuration of an information processing system 100 described as the first embodiment. The information processing system 100 is communicably connected to the information processing system 100 via the communication network 201, the divided database management unit 101, the application 200 (payroll calculation application 202, the attendance record counting application 203, the attendance management application 204), the IC card 205, In addition, a real database 111 accessed by the application 200 is included. The communication network 201 is a network capable of communication by TCP / IP, for example. When the information processing system 100 shown in FIG. 1A is configured as a client / server type system, for example, the divided database management unit 101 is a function realized in a server computer, and the application 200 is executed in a client computer. This is a function that is realized.

  The real database 111 is an RDB format database managed by an RDBMS (Relational DataBase Management System) executed on a predetermined computer. The IC card 205 is a portable recording medium that is communicably connected to the communication network 201 via a reader / writer device or the like. In the IC card 205, an ID correspondence table 206 indicating the correspondence between the real name data and the pseudonym data is recorded. The ID correspondence table 206 is managed safely by performing encryption or encrypted communication so that it can be accessed only from the divided database management unit 101.

  FIG. 1B is another configuration example of the information processing system 100. In the case of the information processing system 100 shown in the figure, the real database 111 is not directly connected to the communication network 201, and the real database 111 is directly connected to the computer in which the divided database management unit 101 is realized. That is, in the case of the information processing system 100 shown in FIG. 1B, the real database 111 can be managed more safely because the real database 111 cannot be directly accessed through the communication network 201.

  1A and 1B, the distributed database management unit 111 functions as a proxy server (proxy server) that mediates an access request to the real database 111 from the application 200. The application 200 accesses the real database 111 by designating the identifier (host name, IP address, etc.) of the divided database management unit 101 as an identifier for accessing the real database 111.

  FIG. 2 is a hardware configuration example of a computer used to realize the divided database management unit 101, the application 200, and the real database 111. A computer 60 shown in the figure is a CPU 61, a memory 62 such as a RAM / ROM, a hard disk 63, an input device 64 such as a keyboard and a mouse as a user interface for inputting data, and a user interface for displaying data. A display device 65 such as a liquid crystal display or a cathode ray tube display, a communication interface 66 for connecting to the communication network 201 for communication, and the like are included.

  FIG. 3A shows a specific software configuration of the information processing system 100 centering on the divided database management unit 101. The divided database management unit 101 stores a copy of the virtual database I / F unit 102 (query receiving unit), the query conversion unit 103 (query determination unit, query conversion unit), the ID correspondence table state determination unit 104, and the ID correspondence table 206. ID correspondence table cache unit 105 (correspondence table storage unit), ID disturbance unit 106, real database I / F unit 107, and the like. Note that these functions are realized by the functions of the hardware included in the computer 60 and by the CPU 61 executing programs stored in the memory 62 and the hard disk 63.

  As shown in FIG. 3A, in the actual database 111, an employee master 303, work records 304, and work record summary data 305 are stored as tables. The employee master 303 is a table corresponding to the real name table described above, and the work record 304 and the work record total data 305 are both tables corresponding to the aforementioned pseudonym table. Since the actual database 111 is an RDB database, a set of data such as tables and views is managed in units of resources called databases. In this embodiment, it is assumed that the employee master 303, the work record 304, and the work record total 305 are stored in a database having the resource name “employee”.

  In general, the RDBMS has a difference in the degree of unique extension function and standard correspondence for each vendor. Further, depending on the language in which the application 200 is described, there may be a case where an SQL statement cannot be described directly in the source code. In such a case, for example, as shown in FIG. 3B, DB middleware 901 in which a plurality of different RDB (Relational Database) functions are shared / abstracted between the application 200 and the divided database management unit 101. What is necessary is just to interpose 902,903.

  In this case, communication between the application 200 and the divided database management unit 101 is performed via DB middleware 901, 902, and 903. 3A, communication between the divided database management unit 101 and the application 200 is performed using a communication protocol used by the real database 111. In the configuration of FIG. 3B, DB middleware 901, 902 This is performed using the communication protocol 903. In this way, when the DB middleware 901, 902, and 903 are interposed, there is an advantage that it is not necessary to build an interface for connecting the application 200 to the divided database management unit 101 in the application 200. The information processing system 1 of the present invention can be introduced without impairing the reliability, because it can be combined with the divided database management unit 101 without modifying a certain highly reliable application 200. A specific example of the DB middleware 901, 902, 903 is a runtime library of an operating system.

  Next, data handled in the information processing system 100 will be described. FIG. 4A is an example of the employee master 303. Each record of the employee master 303 includes items of employee ID 3031, name 3032, affiliation 3033, job title 3034, and address 3035. Among these items, in the item of employee ID 3031, a unique identifier assigned to each employee such as “001” and “002” is stored. In this embodiment, the identifier stored in the employee ID 3031 is referred to as a real name ID or a real name employee ID.

  FIG. 4B shows an example of the work record 304. A record is appropriately added to the work record 304 by the attendance management application 204. Each record of the work record 304 includes items of employee ID 3041, recording date and time 3042, and recorded content 3043. In this embodiment, the personal data of the same person is divided into a real name table using real name data and a pseudonym table using pseudonym data and managed in the real database 111. For this reason, even for the same employee data, different values are stored in the employee ID 3031 of the employee master 303 shown in FIG. 4A and the employee ID 3041 of the work record 304 shown in FIG. 4B. In this embodiment, it is assumed that a real name ID that is real name data is stored in the employee ID 3031 of the employee master 303, and a pseudonym ID that is pseudonym data is stored in the employee ID 3041 of the work record 304.

  The correspondence between the employee ID 3031 of the employee master 303 and the employee ID 3041 of the work record 304 is shown in the ID correspondence table 206. The correspondence between the contents of the employee master 303 and the contents of the work record 304 can be made only by referring to the ID correspondence table 206, and is hidden from the application 200 when the ID correspondence table 206 does not exist. In other words, the application 200 cannot acquire information such as the name and affiliation of the employee master 30 from the identifier stored in the employee ID 3041 of the work record 304, for example.

  In the example of the work record 304 shown in FIG. 4B, a specific example of the employee ID 3041 (a pseudonym ID) having “P” as a prefix is used. As the pseudonym ID, for example, a real name ID is used. Those converted by a hash function can be used. By using the pseudonym ID that is difficult or impossible to guess the real name ID, the safety of the information processing system 1 can be improved. In the following description, the identifier of the employee ID 3041 of the work record 304 is also referred to as a pseudonym ID or a pseudonym employee ID.

  FIG. 4C shows an example of the work record total data 305. The work record total data 305 stores a total value of work hours for each employee ID (pseudo-name ID). The attendance record tabulation application 203 performs calculation using the work record 304 as input data. Each record of the work record total data 305 includes items of an employee ID 3051 (a pseudonym ID), a total month 3052 (may be a year unit), and a total work time 3053.

  FIG. 4D is an example of data output by the salary calculation application 202. The output data 306 shown in the figure is salary data for each employee. The output data 306 includes items of name 3061, total amount of payment 3062, total working time 3063, income tax 3064, and resident tax 3065 stored in the employee master 303. In the total work time 3063, the contents of the total work time 3053 stored in the work record total data 305 are output. The output data 306 is used by, for example, an application that prints salary details.

  FIG. 5A is an example of a table stored in the resource definition database 108. In the table 503 shown in the figure, the host name 5031 of the server computer on which the real database 111 is operating is stored.

  A table 500 and a table 504 illustrated in FIG. 5B are examples of tables stored in the resource definition database 108. The table 500 is a table in which items using a pseudonym table and a pseudonym ID are registered, and includes items of a database name 5001 in which pseudonym data is used, a pseudonym table name 5002, and a pseudonym ID 5003. The pseudonym ID 5003 stores the item name for which the pseudonym ID is used. In the table 500 shown in FIG. 5B, it is registered that the employee ID of the work record 304 stored in the database having the resource name “employee” is an item representing the pseudonym ID. A table 504 shown in FIG. 5B is a table in which items using the real name table and the real name ID are registered. The items of the database name 5041, the real name table name 5042, and the real name ID 5043 in which the real name is used are stored. Have. In the table 504, it is registered that the real name ID is used for the employee ID 3031 of the employee master 303 stored in the database having the resource name “employee”.

  A table 501 illustrated in FIG. 5C is a table stored in the response definition database 109. The response definition database 109 stores a response message returned from the divided database management unit 101 to each application 200. Each record of the table 501 includes items of an application ID 5011, a name 5012, response data 5013, and a completion status 5014. Among these, the application ID 5011 stores an identifier of the application 200, for example, a code given by the designer, a user name of a database account used by the application 200, and the like. The name 5012 stores a character string that identifies the application 200.

  When the application 200 transmits a query that must associate the real name data of the real name table and the pseudonym data of the pseudonym table in a situation where the ID correspondence table 206 cannot be accessed from the divided database management unit 101 to the response data 5013 The type of response message returned to the application 200 is stored. For example, when “empty data” is stored in the response data 5013, it means that the divided database management unit 101 returns an empty data set to the application 200. When “pseudo data” is stored in the response type 5013, a table in which each item of the real name table registered in the table 504 is filled with random values is transmitted to the application 200 as response data, and the response data This means that the content of is not necessarily guaranteed. The completion status 5014 stores a completion status indicating the execution result of the query. The completion status stores “normal”, “abnormal”, and an error code indicating specific contents of the execution result.

  The table illustrated in FIG. 5D is an example of the ID correspondence table 206. The ID correspondence table 206 includes an item of a real name ID 2061 and an item of a pseudonym ID 2062, and shows a correspondence relationship between the real name ID and the pseudonym ID.

  The table shown in FIG. 5E is an example of a table that stores a copy of the ID correspondence table 206 that exists in the ID correspondence table cache unit 105. When the divided database management unit 101 can access the ID correspondence table 206, the real name ID 5021 of the table 502 stores the real name ID. When the divided database management unit 101 cannot access, the real name ID 5021 of the table 502 contains nothing. Is not stored. FIG. 5E shows a state where no content is stored in the real name ID 5021.

= Description of processing =
<When not referring to the ID correspondence table 206>
Here, as an example of processing performed using the pseudonym employee ID stored in the item 3041, when the attendance management application 204, which is performed without referring to the ID correspondence table 206, accesses the real database 111, Processing performed by the divided database management unit 101 will be described with reference to a flowchart 600 shown in FIG. 6A.

  When accessing the real database 111, the attendance management application 204 first executes processing for connecting to the virtual database provided by the divided database management unit 101 (hereinafter referred to as connection processing). In this connection process, the attendance management application 204 transmits connection information (DB user name, password, connection database name, etc.) to the divided database management unit 101. The virtual database I / F unit 102 of the divided database management unit 101 receives the connection information transmitted from the attendance management application 204 (S611).

  When the connection information is received by the divided database management unit 101, the query conversion unit 103 of the divided database management unit 101 next identifies the host name of the real database 111 based on the connection information and the table 503, and A connection request to the real database 111 is transmitted to the database I / F unit 107 (S612). Next, the real database I / F unit 107 transmits connection information to the real database 111 (S613), and waits for a response from the real database 111.

  Next, when the connection result for the real database 111 is received by the virtual database I / F unit 102 (S614), the divided database management unit 101 transmits the received connection result to the attendance management application 204 (S615). If the connection to the real database 111 is successful, a session is established between the attendance management application 204 and the real database 111. This session is held by the functions of the virtual database I / F unit 102 and the real database I / F unit 107 until the disconnection process is performed.

The record addition process to the work record 304 by the attendance management application 204 is performed in a state where the session is established. The attendance management application 204 obtains data including information such as a pseudonym employee ID and attendance time and leaving time from a personal computer or an IC card possessed by the employee, and obtains the obtained data. Add time. Then, a query for adding a record corresponding to the acquired data to the work record 304 is generated and transmitted to the divided database management unit 101. For example, a query for adding the attendance time of “Sato” who is an employee assigned “P001” as the pseudonym ID to the work record 304 is described as follows.
INSERT work record (employee ID, record date, record contents)
VALUES (P001, '2005-04-01 09:00:00', 'Attendance'); (1)
In the above query, for convenience of explanation, character strings of table names and item names are written in Japanese, but are actually written in a character string set permitted by SQL.

  Next, processing performed by the divided database management unit 101 when the query is transmitted from the attendance management application 204 will be described with reference to a flowchart 620 shown in FIG. 6B.

  First, the virtual database I / F unit 102 of the divided database management unit 101 receives a query from the attendance management application 204 (S621). Next, the query conversion unit 103 analyzes the received query (S622), and determines whether it is necessary to associate the real name table with the pseudonym table based on the item name specified in the SELECT syntax of the query. (S623). For this determination, for example, the table name and the item name are extracted from the character string specified in <conditional expression> of the SELECT syntax "SELECT ... FROM ... WHERE <conditional expression>", and the extraction result Are compared with the tables 500 and 504, the pseudonym table name defined in the table 500 and the item name of the pseudonym ID, the real name table name defined in the table 504, and the item name of the real name ID are “ This is done by checking whether or not they are connected by a comparison operator such as “=”, “<=”, “> =”.

  For example, in the case of the table 500 and the table 504 shown in FIG. 5B, regarding the equality operator, “employee master.employee ID = work record total data.employee ID”, employee master.employee ID = The two conditional expressions “work record.employee ID” are to be checked. When at least one of these conditional expressions exists in the query received from the attendance management application 204, the query conversion unit 103 determines that the real name table and the pseudonym table need to be associated with each other, and exists If not, it is determined that it is not necessary to associate the real name table with the pseudonym table.

  Note that there are multiple SELECT syntax “SELECT ... FROM ... WHERE <conditional expression>” in the received query, such as when nesting is included or when using “;” (semi-colon). If it exists, it is determined that the real name table needs to be associated with the pseudonym table if at least one of them contains the conditional expression. In addition, regarding an instruction substantially equivalent to the SELECT syntax such as “ON”, “USING”, and “JOIN”, for example, the above-described determination processing is performed after the command is temporarily reduced to the SELECT syntax.

  Here, the query (1) is for processing only the work record 305, and the query (1) does not include any of the above conditional expressions. Therefore, in this case, it is determined that it is not necessary to associate the real name data with the pseudonym data (S623: unnecessary), and the process proceeds to (S625). Unlike the query (1), when a query including any of the above conditional expressions is transmitted from the attendance management application 204, it is determined that there is a need to associate real name data with pseudonym data ( (S623: YES), the process proceeds to (S624). The specific contents of the processing of (S624) will be described in detail in the description using the salary calculation application 202 later.

  In the processing of (S625), the query conversion unit 103 specifies the host name of the real database 111 with reference to the table 503 (S625), and sends a query transmission request to the real database 111 to the real database I / F unit 107. Is sent out. Upon receiving the transmission request, the real database I / F unit 107 transmits the query received from the attendance management application 204 to the real database 111 (S626).

  When the real database 111 receives the query transmitted from the real database I / F unit 107, the real database 111 executes the received query. If the received query is query (1), one record is added to the work record 304. In the processing of (S627), the real database I / F unit 107 receives the execution result of the query from the real database 111. When the virtual database I / F unit 102 receives the query execution result, the status code indicating the success or failure of the database operation is transmitted to the attendance management application 204 to the attendance management application 204 (S628).

  The above is an example of processing related to access to the real database 111 from the attendance management application 204, which is performed without referring to the ID correspondence table 206. Similar to the processing for the attendance management application 204 described above, the processing related to access to the actual database 111 from the work record totaling application 203 performed without referring to the ID correspondence table 206 is also shown in FIGS. 6A and 6B. This is performed according to the flowchart shown in FIG.

When the application user designates an arbitrary period such as between April 1, 2005 and April 30, 2005, the work record totaling application 203 refers to the work record 304 within the designated period. The work hours of each employee are totaled, and the result is output to the work record total data 305 of the actual database 111. Here, the work record totaling application 203 issues, for example, the following query to the divided database management unit 101 in order to obtain data within the specified period stored in the work record 304.
SELECT employee ID, record date, record contents FROM employee master
WHERE recording date> = '2005-04-01 0:00:00' AND recording date <= '2005-04-30 23:59:59'; (2)

The work record totaling application 203 calculates a work time for each employee ID based on the execution result of the query, and issues a query for adding a record to the work record total data 305 to the real database 111. For example, when an employee who is given “P001” as a pseudonym employee ID has worked for a total of 40 hours, the work record totaling application 203 transmits the following query (3) to the real database 111. To do.
INSERT Work record summary data (employee ID, total working hours) VALUES (P001, 40); (3)
The above is an example of processing related to access to the real database 111 from the work record totaling application 203 that is performed without referring to the ID correspondence table 206, but only the customer master 303 that is performed without referring to the ID correspondence table 206 only. The process of accessing is also performed in the same manner as described above.

  As described above, when the query transmitted from the application 200 targets only the real name table or only the pseudonym table, the query can be normally executed even if the ID correspondence table 206 does not exist. it can.

<When referring to the ID correspondence table 206>
Next, regarding processing performed with reference to the ID correspondence table 206, processing when the salary calculation application 202 accesses the real database 111 while referring to the ID correspondence table 206 will be described as a specific example.

  The ID correspondence table 206 is stored in the IC card 205, and the divided database management unit 101 can refer to the ID correspondence table 206 by setting the IC card 205 to a reader / writer device or the like. The sequence 700 shown in FIG. 7A occurs when the holder of the IC card 205 sets the IC card 205 in a reader / writer device or the like, and the divided database management unit 101 becomes communicable with the ID card 205. This is processing performed by the divided database management unit 101 that is started in response to an interrupt signal.

  When an interrupt signal is generated, the ID correspondence table state determination unit 104 first determines whether or not the ID correspondence table 206 can be read (S711). When a password is set in the IC card 205, it can be read if password authentication is completed. If no password is set, the card can be read out when the physical connection of the card is recognized.

  In the processing of (S712), the ID correspondence table state determination unit 104 sends a cache update request to the ID correspondence table cache unit 105. The ID correspondence table cache unit 105 manages lock state variables in order to exclusively control access to the cache 502. The lock state variable is accessed from the ID correspondence table cache unit 105, the query conversion unit 103, and the ID disturbance unit 106. Possible values of the lock state variable are `` OK '' indicating that exclusive control is not performed, `` W '' indicating that updating (write) is not possible from processes other than exclusive process, There is “R / W” or the like indicating that neither reading nor updating is possible.

  For example, when the query conversion unit 103 uses the cache 502, the lock state variable is “W”, and the cache update process by the ID correspondence table cache unit 105 or the ID update process of the ID disturbance unit 106 is executed. If it is, the lock state variable is “R / W”; otherwise, the lock state variable is “OK”. The lock state variable is implemented as a variable or file on the memory 62 by, for example, a system function provided by the operating system.

  In the process of (S713), the ID correspondence table cache unit 105 waits until the lock state variable becomes “OK”, and when the lock state variable becomes “OK”, the lock state variable is changed to “R / W”. Yes. In the processing of (S 714), the ID correspondence table cache unit 105 reads the ID correspondence table 206 from the IC card 205 and copies the ID correspondence table 206 to the cache 502, which is a storage area secured on the memory 62 (or real name) ID value only). At this time, the cache 502 stores the correspondence data of all real name IDs and pseudonym IDs. In the processing of (S715), the ID correspondence table cache unit 105 sets the lock state variable to “OK”.

  The sequence 720 shown in FIG. 7B is an interrupt generated when the IC card 205 becomes incapable of communicating with the divided database management unit 101 by the IC card 205 holder being pulled out of the reader / writer device or the like. This is processing performed by the divided database management unit 101 that is started in response to a signal.

  In the processing of (S721), the ID correspondence table state determination unit 104 sends a cache content discard request to the ID correspondence table cache unit 105. In the processing of (S722), the ID correspondence table cache unit 105 waits until the lock state variable becomes “OK”, and changes the lock variable to “R / W” when the lock state variable becomes “OK”. . In the processing of (S723), empty data is substituted in the real name ID column of the cache 502. In the process of (S724), the ID correspondence table cache unit 105 sets “OK” in the lock state variable.

  Next, processing in which the payroll application 202 accesses the actual database 111 with reference to the ID correspondence table 206 will be described. It is assumed that the payroll application 202 has already established a session with the actual database 111.

First, the salary calculation application 202 acquires the name and total working time of each employee from the real database 111, so that the following query (4) is transmitted to the divided database management unit 101, so All employee IDs 3031 are acquired. This process is performed according to the process of FIG. 6B described above, for example.
SELECT Employee Master.Name, work record summary data.Total working hours
FROM employee master, work record summary data
WHERE Employee master. Employee ID = Work record summary data. Employee ID AND
Employee master. Employee ID = '001'; (4)

  Next, the divided database management unit 101 executes processing similar to (S621) to (S623) in the flowchart of FIG. 6B. In this case, in the process of (S623), the correspondence between the employee ID 3031 (real name data) of the customer master 303 (real name table) and the employee ID 3051 (fake name data) of the work record totaling data 305 (false name table) is the correspondence. Since it is determined that it is necessary, the query conversion process is executed (S624).

  Details of the query conversion process (S624) are shown in a flowchart 800 of FIG. In the query conversion process (S624), first, the query conversion unit 103 makes an inquiry to the ID correspondence table state determination unit 104 to check whether the ID correspondence table 206 is accessible (S811). If it is accessible (S811: accessible), the process proceeds to (S812). In the processing of (S812), the query conversion unit 103 waits until the lock state variable becomes “OK”, and when the lock state variable becomes “OK”, the query conversion unit 103 sets the lock state variable to “W”.

  Next, the query conversion unit 103 executes conversion processing for the query received from the salary calculation application 202 (S813). Here, the salary calculation application 202 refers to the employee ID 3031 (real name data) of the employee master 303 (real name table) and the employee ID 3051 (fake name data) of the work record total data 305 (fake name table). The process is executed assuming that the same identifier is stored in the record for the employee, but the real name ID (real name data) is used in the employee master 303 (real name table), and the work record total data 305 (fake name table) ) Uses pseudonym IDs (pseudoname data) (for example, pseudonym ID “P001” for real name ID “001”). For this reason, if the query (4) is executed as it is, the result expected by the application 200 cannot be obtained. Therefore, in the conversion process of (S813), the query received from the payroll application 202 is converted into a query that conforms to the table structure of the real database 111 so that the result expected by the application 200 can be obtained.

  In the query conversion process (S823), first, as in the process of (S622) and (S623) of FIG. 6B described above, a table connected by a comparison operator from the character string described in the WHERE clause of the SELECT syntax. Names and item names are extracted, and the table 504 or table 500 that matches the table name or item name is selected. In the case of the query (4), “employee master. Employee ID” and “work record total data. Employee ID” are applicable. In the SQL syntax, these mean “table name.item name”.

  Next, the tables to be referred to in the actual database 111 are listed based on the combinations of the listed table names and item names. In the case of the query (4), the character strings “employee master” and “work record total data” are applicable. Next, the WHERE clause of the received query is compared with the registered data of the table 504 and the table 500, and the conditional expressions that refer to the real name ID or the pseudonym ID value are listed. In query (4), the conditional expression “employee master.employee ID = '001'” corresponds.

  Next, the conditional expression referring to the value of the real name ID or the pseudonym ID is compared with the registered data of the table 504 and the table 500, and if necessary, converted into a conditional expression suitable for each of the listed tables. To do. Here, since the combination of the table name and the item name appearing in the conditional expression is registered in the table 504, the conditional expression is regarded as referring to the real name ID.

  In the check process of the employee master 303, since the “employee master” exists in the table 504, the conditional expression remains as it is. In the check process of the work record total data 305, since “work record total data” exists in the table 500, it is determined that the work record total data 305 includes only a pseudonym ID. In this case, the query conversion unit 103 refers to the ID correspondence table 206 stored in the cache 502, identifies the pseudonym ID corresponding to the real name ID, and converts the value of the ID referenced in the conditional expression. Here, the part of “work record total data. Employee ID =“ 001 ”” in the query (4) is converted to “work record total data. Employee ID =“ P001 ””.

Next, the query conversion unit 103 generates a plurality of queries for each of the listed tables. The queries generated corresponding to the query (4) are, for example, the following two queries.
SELECT Employee Master Name
FROM Employee Master
WHERE employee master. Employee ID = '001'; (5)
SELECT work record summary data, total working hours
FROM Work record summary data
WHERE Work record summary data. Employee ID = 'P001'; (6)

  The above is the details of the query conversion process (S813). In the subsequent processes (S814) to (S816), the same processes as (S625) to (S627) in FIG. 6B described above are performed. Then, in the state where the processing of (S816) is completed, two record sets are stored in the real database I / F unit 107 as a result of executing the two queries (5) and (6). In the process of (S817), the data conversion unit 114 obtains a direct product of the two record sets stored in the real database I / F unit 107, and converts the two records into one record set. As a result of the processing of (S817), in the case of the present embodiment, one record {Sato, 40} corresponding to the employee whose employee ID is “001” is obtained.

  In the subsequent process (S818), the virtual database I / F unit 102 transmits the record obtained in (S817) to the payroll application 202, and the virtual database I / F unit 102 completes the response to the query conversion unit 103. Send. In the process of (S819), the query conversion unit 103 changes the lock state variable changed in the process of (S812) to “OK” and releases the lock of the cache.

  In the process of (S811), when it is determined that the ID correspondence table 206 cannot be accessed, the process of (S820) is executed next. In the process of (S820), the divided database management unit 101 refers to the table 501 and determines a response to the payroll application 202. In this embodiment, the completion status is “abnormal end”. In the processing of (S821), the divided database management unit 101 notifies the payroll application 202 of the completion status by a method provided by the RDBMS such as a log or environment variable provided by the RDBMS, for example.

  The above is the processing when the salary calculation application 202 accesses the execution database 111 performed with reference to the ID correspondence table 206. As described above, according to the information processing system 100 described as the first embodiment, the divided database management unit 101 hides the table structure of the real database 111 and the ID correspondence table 206 from the application 200, while Response message can be returned. The response message can be customized for each application 200 according to the connection state of the ID correspondence table 206.

== Example 2 ==
FIG. 9 shows the configuration of an information processing system 1000 described as the second embodiment. Here, in the information processing system 100 described as the first embodiment, all tables are stored in the same physical database 111 physically. However, in the information processing system 1000 according to the second embodiment, data stored in the real database 111 is managed in a state of being distributed to a plurality of physically different databases. Specifically, an employee master that is a real name table is managed in the real database 1002, and a pseudonym table other than the employee master is managed in the real database 1003. Then, the distributed database management unit 1004 shown in FIG. 9 integrates the real database 1002 and the real database 1003, and the contents of the real database 1002 and the real database 1003 are as if one real database exists in the application 200. I will provide a.

  The configuration of the information processing system 1000 is suitable for an environment where a consignment source outsources business to an external contractor by outsourcing or the like. In the following description, the real database 1002 storing the real name table is managed by the business consignment site 91, and the real database 1003 storing the pseudonym table is consigned to the business consignment site (data center) 92. And The business consignment site 91 and the business consignment site 92 are connected by a secure communication method such as a VPN (Virtual Private Network) 1001. In this way, since the work consignment site 92 works exclusively using the pseudonym data, the consignment source can prevent the data associated with the real name from leaking outside.

  FIG. 10 shows a specific software configuration of the information processing system 1000 centering on the divided database management unit 101. 3A is different from the information processing system 100 shown in FIG. 3A in that there are a plurality of real databases 1002 and 1003 in FIG. 10 and that the real databases 1002 and 1003 are respectively distributed by the distributed database management unit 1004. It is controlled.

  FIG. 11A is a flowchart 1100 for explaining processing of the divided database management unit 101 in the information processing system 1000. In the information processing system 1000, the ID correspondence table 206 is also stored in the tables of the real databases 1002 and 1003 by the functions of the divided database management unit 101 and the distributed database management unit 1004. The distributed database management unit 1004 executes queries on the real databases 1002 and 1003.

  Hereinafter, processing performed by the distributed database management unit 1004 of the information processing system 1000 will be described with reference to the flowchart 1100 illustrated in FIG. 11A. The following description will be made with respect to differences from the flowchart of FIG.

  In the flowchart 1100 shown in FIG. 11A, the processes of (S1111) to (S1112) are performed in the same manner as (S811) to (S812) of FIG. The process of the query conversion process (S1113) is the same as the process of (S813) and the query analysis process shown in FIG. 8, but the process of generating a query is different from the process of (S813). That is, in the process of (S1113), when the query conversion unit 103 receives a record necessary for executing the received query in the cache 502 of the ID correspondence table 206, for example, the query (5), The record with the real name ID “001” is written to “TEMPORAL”, which is a temporary table of the real database 1002. Note that the database that stores the temporary table is not necessarily the real database 1002 or the real database 1003, and may be another database managed by the distributed database management unit 1004.

  In the query conversion process (S1113), a query including a process corresponding to the process of (S817) (combination of execution results by direct product) is generated using the table “TEMPORAL”. Specifically, when the divided database management unit 101 receives the query (4) from the salary calculation application 202, for example, the following query (7) is generated by the query conversion process (S1113).

SELECT Employee Master.Name, work record summary data.Total working hours
FROM Employee Master, Work Record Summary Data, TEMPORAL
WHERE employee master. Employee ID = '001' AND
Employee master. Employee ID = TEMPORAL. Real name ID AND
Work record tabulation data. Employee ID = TEMPORAL. Pseudonym ID;
In the query (7), the conditional expression “employee master.employee ID = work record total data.employee ID” in the query (4) is decomposed into the right side and the left side, and the real name ID and the pseudonym ID of the table TEMPORAL are Replaced with comparative text. Since the execution result of the query (7) is one record set, it is not necessary to combine the execution results as in (S817).

  As described above, according to the information processing system 1000 described in the present embodiment, real name data and pseudonym data are associated with each other even when the contents of the real database are managed by two physically different real databases 1002 and 1003. It is possible to perform necessary processing. In the first embodiment, it is necessary to generate a plurality of queries based on the query received from the application 200, and to take a direct product of the execution results and combine them into one execution result. Only one query is generated on the basis of the query received from, and the execution result joining process is unnecessary. Further, similarly to the information processing system 100 of the first embodiment, also in the information processing system 1000 of the present embodiment, processing for only one of the real name table or the pseudonym table is always performed regardless of the presence or absence of the ID correspondence table 206. If necessary, the contents of the real name table and the pseudonym table can be combined by the ID correspondence table 206 to execute processing required by the application 200.

  By the way, in the above configuration of the present embodiment, the contents of the ID correspondence table 206 are also stored in the real databases 1002 and 1003. Therefore, an ID that should be managed as information that can be originally accessed only by the divided database management unit 101. The confidentiality of the correspondence table 206 will be lost. Here, in order to ensure the confidentiality of the ID correspondence table 206, for example, a process (S1119) for reconstructing the contents of the ID correspondence table 206 after the process S1118 is performed.

  FIG. 11B is a flowchart 1150 for explaining the details of the processing of (S1119) in FIG. 11A when the confidentiality of the ID correspondence table 206 is improved. First, the query conversion unit 103 inquires of the ID correspondence table state determination unit 104 whether the ID correspondence table 206 is accessible (S1151). If the ID correspondence table 206 is inaccessible (S1151: not accessible), the process is terminated without executing the subsequent reconstruction process of the ID correspondence table 206. If it is accessible (S1151: accessible), the query conversion unit 103 next requests the ID disturbance unit 106 to disturb the pseudonym ID (S1152). At this time, the ID disturbing unit 106 changes the lock state variable to “R / W” (S1153).

  Next, the ID disturbing unit 106 replaces the pseudonym ID stored in the table “TEMPORAL” with the pseudonym ID newly generated based on the real name ID (S1154). Here, the pseudonym ID generation and the pseudonym ID replacement process are performed as follows, for example. First, a real name ID and a random number are synthesized by performing an XOR operation, and a pseudonym ID is generated by MD5 (Message Digest 5) using the result as a key. Next, it is checked whether or not the generated pseudonym ID overlaps with the pseudonym ID existing in the ID correspondence table 206. If they are duplicated, the random number is changed, and the pseudonym ID generation process (S1154) is performed again. If the pseudonym ID is not duplicated, the old pseudonym ID in the ID correspondence table 206 is replaced with a new value.

  After the replacement of the ID correspondence table 206, it is stored in the items stored in the pseudonym ID item in the table 500 of FIG. 5B (here, the employee ID 3041 in the work record 304 and the employee ID 3051 in the work record total data 305). The searched pseudonym ID is searched, and the searched pseudonym ID is replaced with a new value (S1155). Next, the lock state variable is changed to “OK” (S1156), and finally the contents of the table “TEMPORAL” are deleted (S1157).

  According to the above mechanism, even if the real database is managed by the distributed database management unit 1004, the confidentiality of the ID correspondence table 206 can be ensured.

== Example 3 ==
FIG. 12 shows the configuration of an information processing system 1200 described as the third embodiment. FIG. 13 shows a specific software configuration of the information processing system 1200 centered on the divided database management unit 101. The information processing system 1200 described as the third embodiment is different from the information processing system 100 in the first embodiment in that a secret key 1201 is stored in the IC card 205 instead of the ID correspondence table 206. The third embodiment is also characterized in the process of the ID correspondence table cache unit 105 of the divided database management unit 101 when the IC card 205 becomes accessible compared to the first embodiment.

  The process of the ID correspondence table cache unit 105 according to the third embodiment will be described together with the sequence 1400 illustrated in FIG. 14A. As a premise of starting the sequence 1400, when the IC card 206 is inaccessible, the ID correspondence table 206 encrypted with the private key 1201 is stored in the ID correspondence table cache unit 105. To do.

  A sequence 1400 shown in FIG. 14A is started in response to an interrupt signal generated in response to the holder of the IC card 205 setting the IC card 205 in a reader / writer device or the like. When the interrupt signal is generated, the ID correspondence table state determination unit 104 first determines whether or not the private key 1201 can be read (S1411). When a password is set for the IC card 205, the password can be read if the password authentication is completed. If no password is set, the card can be read out when the physical connection of the card is recognized.

  In the processing of (S1412), the ID correspondence table state determination unit 104 sends a cache update request to the ID correspondence table cache unit 105. The ID correspondence table cache unit 105 manages lock state variables in order to exclusively control access to the cache 502. The lock state variable is the same as in FIG. 7A. In the processing of (S1413), the ID correspondence table cache unit 105 waits until the lock state variable becomes “OK”, and when the lock state variable becomes “OK”, the lock state variable is changed to “R / W”. Yes.

  In the process of (S1414), the ID correspondence table state determination unit 104 reads the secret key 1201 from the IC card 205. In the process of (S1415), the ID correspondence table 206 stored in an encrypted state by the ID correspondence table state determination unit 104 is decrypted with the secret key 1201. The decrypted ID correspondence table 206 is stored in the ID correspondence table cache unit 105.

  The sequence 1420 shown in FIG. 14B starts in response to an interrupt signal generated when the IC card 205 is disconnected from the communication network by the IC card 205 holder being pulled out of the reader / writer device or the like. Is done. This sequence 1420 is performed by the divided database management unit 101.

  In the processing of (S1421), the ID correspondence table state determination unit 104 discards (deletes) the ID correspondence table 206 and the private key decrypted in the cache (memory 62) with respect to the ID correspondence table cache unit 105. A request is being sent out. In the processing of (S1422), the ID correspondence table cache unit 105 waits until the lock state variable becomes “OK”, and changes the lock variable to “R / W” when the lock state variable becomes “OK”. . In the process of (S1423), the ID correspondence table cache unit 105 discards (deletes) the ID correspondence table 206 and the private key decrypted in the cache (memory 62). In the processing of (S1424), the ID correspondence table cache unit 105 sets “OK” in the lock state variable.

  As described above, in the third embodiment, since the ID correspondence table 206 itself does not need to be stored in the IC card 205, the memory capacity to be mounted on the IC card 205 can be reduced. Further, the number of items stored in the ID correspondence table 206 becomes irrelevant to the storage capacity of the IC card 205, and the ID correspondence table 206 having a large data size can be handled. Further, since the divided database management unit 101 only needs to read out the secret key, the load is less than in the case of reading out the ID correspondence table 206, and the processing can be speeded up.

  Incidentally, the configuration of the third embodiment described above can be applied to the second embodiment. Here, since the third embodiment has a configuration in which the ID correspondence table 206 is not stored in the IC card 205, the content of the reconstruction process (S1119) of the ID correspondence table 206 of the second embodiment shown in FIG. 11A is different. That is, when the third embodiment is applied to the second embodiment, for example, the ID correspondence table 206 after the pseudonym ID is replaced with the new pseudonym ID is encrypted with the duplicate key of the secret key 1201, and this is newly described above. Is stored as the encrypted ID correspondence table 206.

  The above description of the embodiment is for facilitating understanding of the present invention, and does not limit the present invention. It goes without saying that the present invention can be changed and improved without departing from the gist thereof, and that the present invention includes equivalents thereof.

It is a figure which shows the structure of the information processing system 100 demonstrated as Example 1 of this invention. It is a figure which shows the structure of the information processing system 100 demonstrated as Example 1 of this invention. It is a figure which shows an example of the hardware constitutions of the computer used in order to implement | achieve the division | segmentation database management part 101, the application 200, and the real database 111 demonstrated as Example 1 of this invention. It is a figure which shows the specific software structure of the information processing system 100 centering on the division | segmentation database management part 101 demonstrated as Example 1 of this invention. It is a figure which shows the specific software structure of the information processing system 100 centering on the division | segmentation database management part 101 demonstrated as Example 1 of this invention. It is a figure which shows an example of the content of the employee master 303 demonstrated as Example 1 of this invention. It is a figure which shows an example of the content of the work record 304 demonstrated as Example 1 of this invention. It is a figure which shows an example of the content of the work record total data 305 demonstrated as Example 1 of this invention. It is a figure which shows an example of the data output by the salary calculation application 202 demonstrated as Example 1 of this invention. It is a figure which shows an example of the table stored in the resource definition database 108 demonstrated as Example 1 of this invention. It is a figure which shows an example of the table stored in the resource definition database 108 demonstrated as Example 1 of this invention. It is a figure which shows an example of the table stored in the response definition database 109 demonstrated as Example 1 of this invention. It is a figure which shows an example of the ID corresponding | compatible table 206 demonstrated as Example 1 of this invention. It is a figure which shows an example of the ID corresponding | compatible table 206 demonstrated as Example 1 of this invention. It is a flowchart explaining the process in which the attendance management application 204 accesses the real database 111 performed without referring to the ID correspondence table 206, which will be described as the first embodiment of the present invention. It is a flowchart explaining the process performed by the division | segmentation database management part 101 when the said query is transmitted from the attendance management application 204 demonstrated as Example 1 of this invention. Sequence diagram for explaining processing started in response to an interrupt signal generated in response to an owner of an IC card 205 setting the IC card 205 in a reader / writer device or the like, described as a first embodiment of the present invention It is. According to the interrupt signal generated when the IC card 205 is disconnected from the communication network by the holder of the IC card 205 withdrawing the IC card 205 from the reader / writer device or the like, which is described as the first embodiment of the present invention. It is a sequence diagram explaining the process started in this. It is a flowchart explaining the detail of the query conversion process of (S624) demonstrated as Example 1 of this invention. It is a figure which shows the structure of the information processing system 1000 demonstrated as Example 2 of this invention. It is a figure which shows the specific software structure of the information processing system 1000 centering on the division | segmentation database management part 101 demonstrated as Example 2 of this invention. It is a figure which shows the flowchart 1100 explaining the process of the division | segmentation database management part 101 in the information processing system 1000 demonstrated as Example 2 of this invention. It is a figure explaining the detail of the process of (S1119) of FIG. 11A demonstrated as Example 2 of this invention. It is a figure which shows the structure of the information processing system 1200 demonstrated as Example 3 of this invention. It is a figure which shows the specific software structure of the information processing system 1200 centering on the division | segmentation database management part 101 demonstrated as Example 3 of this invention. It is a figure explaining the process of the ID corresponding table cache part 105 demonstrated as Example 3 of this invention. It is a figure explaining the process of the ID corresponding table cache part 105 demonstrated as Example 3 of this invention.

Explanation of symbols

100 Information Processing System 101 Divided Database Management Unit 102 Virtual Database I / F Unit 103 Query Conversion Unit 104 ID Corresponding Table State Determination Unit 105 ID Corresponding Table Cache Unit 106 ID Disturbing Unit 107 Real Database I / F Unit 108 Resource Definition Database 109 Response Definition database 111 Real database 200 Application 202 Payroll application 203 Attendance record totaling application 204 Attendance management application 205 IC card 206 ID correspondence table

Claims (15)

CPU and memory;
An interface for connecting to a database storing a real name table including real name data and a pseudonym table including pseudonym data;
An interface for reading the correspondence table from a recording medium in which a correspondence table of the real name data and the pseudonym data is recorded;
A state determination unit that determines whether or not access to the correspondence table is possible;
A query receiver for receiving a query executed on the database;
A query determination unit that determines whether the real name data and the pseudonym data need to be associated with each other when executing the received query;
A query conversion unit for converting the received query into a new query based on the correspondence table when it is determined that the association is necessary and the correspondence table is accessible;
An interface for sending the query to the database;
An information processing apparatus characterized by comprising: The information processing apparatus according to claim 1,
The new query generated by the query conversion unit includes
A first query described to access the real name table by the real name data; and a second query described to access the pseudonym table by the pseudonym data. Processing equipment. The information processing apparatus according to claim 1,
The new query generated by the query conversion unit includes
An access to the real name table by the real name data, an access to the pseudonym table by the pseudonym data, and an access by the real name data or the pseudonym data to the tabulated correspondence table are executed. An information processing apparatus characterized by including a described query. The information processing apparatus according to claim 1,
An interface for transmitting a response prepared for each of the transmission sources to the transmission source of the received query when it is determined that the association is necessary and the correspondence table cannot be accessed; Information processing apparatus. The information processing apparatus according to claim 1,
The state determination unit performs an authentication process on the recording medium in response to an interrupt signal generated when communication with the recording medium becomes possible, and when the authentication process is successful, from the recording medium An information processing apparatus that performs processing for storing a copy of a correspondence table, and further performs exclusive control on the copy of the correspondence table during conversion of the query. The information processing apparatus according to claim 5,
The state determination unit determines whether or not there is access to the duplicate of the stored correspondence table in response to the generation of an interrupt signal generated when communication with the recording medium is disabled. If not, the information processing apparatus deletes the contents of the copy. The information processing apparatus according to claim 1,
The real name table is stored in a first database;
The pseudonym table is stored in a second database;
A distributed database management unit that provides the first database and the second database as one database;
The new query generated by the query converter is
The access to the real name table by the real name data, the access to the pseudonym table by the pseudonym data, and the access by the real name data or the pseudonym data to the tabulated correspondence table are described. An information processing apparatus characterized in that a processed query is included. The information processing apparatus according to claim 7,
The pseudonym ID of the ID correspondence table recorded on the recording medium is replaced with a newly generated pseudonym ID, and the pseudonym ID before replacement stored in the pseudonym table is changed to the pseudonym ID after replacement. An information processing apparatus characterized by: CPU and memory;
An interface for connecting to a database storing a real name table including real name data and a pseudonym table including pseudonym data;
An interface for reading out the secret key from the recording medium on which the secret key is recorded;
A correspondence table storage unit for storing a correspondence table of the real name data and the pseudonym data, encrypted with the secret key;
A state determination unit that determines whether to access the correspondence table, and decrypts the correspondence table with the secret key read from the recording medium;
A query receiver for receiving a query executed on the database;
A query determination unit that determines whether the real name data and the pseudonym data need to be associated with each other when executing the received query;
A query conversion unit that converts the received query into a new query based on the decoded correspondence table when it is determined that the association is necessary and the correspondence table is accessible When,
An interface for sending the query to the database;
An information processing apparatus characterized by comprising: The information processing apparatus according to claim 9,
The state determination unit erases the correspondence table stored in the decrypted state and the stored secret key in response to an interrupt signal generated when communication with the recording medium is disabled. An information processing apparatus characterized by executing processing. A control method for an information processing apparatus having a CPU and a memory, and an interface connected to a database storing a real name table including real name data and a pseudonym table including pseudonym data,
Reading the correspondence table from a recording medium in which a correspondence table of the real name data and the pseudonym data is recorded;
Determining whether to access the correspondence table;
Receiving a query to be executed against the database;
Determining whether it is necessary to associate the real name data and the pseudonym data in executing the received query;
Converting the received query into a new query based on the correspondence table when it is determined that the correspondence is necessary and the correspondence table is accessible; and
Sending the query to the database;
A method for controlling an information processing apparatus, comprising: A control method for an information processing apparatus according to claim 11,
The new query generated by the query conversion unit includes
A first query described to access the real name table by the real name data; and a second query described to access the pseudonym table by the pseudonym data. A method for controlling a processing apparatus. A control method for an information processing apparatus according to claim 11,
The new query generated by the query converter is
It is described to execute access to the real name table by the real name data, access to the pseudonym table by the pseudonym data, and access by the real name data or the pseudonym data to the table corresponding to the table. A method for controlling an information processing apparatus, characterized in that a query is included. A control method for an information processing apparatus according to claim 11,
A step of transmitting a response prepared for each of the transmission sources to the transmission source of the received query when it is determined that the association is necessary and the correspondence table is not accessible. Control method for information processing apparatus. In an information processing apparatus having a CPU and a memory,
A function for connecting to a database in which a real name table including real name data and a pseudonym table including pseudonym data are stored;
A function of reading the correspondence table from a recording medium in which a correspondence table of the real name data and the pseudonym data is recorded;
A function for determining whether to access the correspondence table;
Receiving a query executed against the database;
A function for determining whether the real name data and the pseudonym data need to be associated with each other when executing the received query;
A function of converting the received query into a new query based on the correspondence table when it is determined that the correspondence is necessary and the correspondence table is accessible;
A function of sending the query to the database;
Program to realize.

Images